Over the years, there has been continuous development in the cybersecurity domain as the digital footprints of organisations are expanding rapidly. Hybrid work and digital business processes in clouds have introduced more risks. Hackers are becoming more advanced, and organisations are facing ever-changing cyber security threats in various forms. More than reactive and initiative-taking approaches, what is needed by these organisations is that they must be on the constant lookout for the latest developments in this area to track and predict what kind of threats are knocking on their door and devise a plan for best practices to address these types of issues. The session will examine cyber security trends and best practices, as well as various developments and technicalities in this field.
To get an overview of the major trends and emerging risks in the cyber security and data privacy space in the industry, we had with us Kavitha Srinivasulu, Global Head of Cyber Risk & Data Privacy from Tata Consultancy Services and our in-house expert, Divya Baranwal, Research Director from Quadrant Knowledge Solutions. The discussion was kicked-off by Shinjini Sarkar, our in-house Senior Content Specialist, who presented the questions to both experts.
Kavitha comes with 19 years of experience in cyber security, data privacy, and business resilience and has been associated with global companies like HCL, Wipro, Verizon, Bank of America, AstraZeneca, and other prominent brands for quite some time. Currently, she is at TCS, heading cyber risk and data privacy for BFSI global customers.
THE IMPORTANCE OF CYBER SECURITY
Kavitha Srinivasulu highlights the importance of data security in this digital age and how it has been continuously growing in sophistication and complexity around the globe. Cybersecurity is again becoming a key focus area for business leaders and key regulators to ensure that they can get sophisticated, grow with the technology, and enhance their global digital standards. But what always happens now is a never-ending race as technology grows, vulnerabilities are also accompanied, and in return, their day-to-day operations are getting disturbed. With these changes happening, organizations expect to align with the company by continuing to invest in technology to grow their business effectively, reduce disruptions, and grow business. The last couple of years has been far from ordinary. The work-from-home setting, which was exceedingly rare before the COVID, has become a normal scene nowadays. On the note of working from home, working in an open environment is like inviting vulnerabilities and predators to influence the opportunities given.
CYBER-THREATENINGS IN THE YEAR 2022
There are some of the top security risks and trends that are changing in 2022 that she highlighted in this session. The most common are ransomware attacks. Every day, when you open social media, you can see that something or other is going on. For instance, data breaches are growing day by day, which prevailed pre-COVID and post-COVID. The PII data (Personally Identifiable Information), which was sold for 30 to 40 dollars before the pandemic, has now significantly increased to 300 to 400 dollars per PII data. And the ransomware attacks have been increasing irrespective of whether it is going to be a small, medium, or large company. Another risk area is the data privacy regulations, which are increasing day by day and being mandated. The regulators are mandating the organisations to stick to it and align to it, which is a key challenge, where the companies must stand on their toes to ensure that they are not missing anything. As always, the regulations are dynamic. They keep changing based on the current threat landscape and the business challenges and growth that we are seeing right now. Another area that is potentially growing is artificial intelligence, which, at an extremely elevated level, is going to benefit the cyber security platform in optimising the efforts and changing some manual efforts that the individuals are doing on a day-to-day basis, be it with data access controls, be it security incident management, or threat intelligence. It is going to grow, but the kinds of security measures or the security controls required for it are exceptionally large, and it needs special attention from security resources for the potential growth of artificial intelligence.
Another area she would like to highlight here is mobile phones. The mobile phone is the new target for predators or cyber criminals as they function as an alternate device. It is also a device which we use not only for our requirements but also for our official requirements. Be it for mail checks, data communicators or any specific applications that are installed on our mobiles, we have started using them. Not only from the application’s standpoint but even the kind of information that we transfer and get access to is incredibly significant. And while having this atmosphere in a private network, enabling official applications on a personal device needs special attention to enable security measures for the currently weak area where organisations are developing a mobile device management policy and the framework behind that, ensuring security controls are enabled around these mobile applications and ensuring the vulnerabilities are reduced. And if there are any issues arising, be it by social engineering, phishing, or email impersonation, they are getting addressed and overcoming those challenges. And the last one is the IoT, which is a platform working towards centralising the efforts and optimising the different tools that we are working on day in and day out. So, with these emerging technologies that are evolving, organizations are facing tremendous pressure to ensure that they are securing their corporate data as well as their business requirements and the regulatory aspects or demands as well to ensure they are compliant in business.
COPING WITH SECURITY ATTACKS
Resonating with all the points Kavitha has mentioned, Divya speaks up on how Quadrant Knowledge Solutions has regular discussions with technology vendors and end users whilst figuring out what is emerging as the major trend—which is that cyber security attacks are growing rapidly in terms of frequency and sophistication but also in terms of complexity. So, attackers now are finding newer and innovative ways to launch attacks, much like they are using a lot of innovative networks, such as AI-driven attacks, automated attacks, social engineering attacks, IoT botnets, and others. This landscape is being fuelled by several factors, including rising cloud adoption and increased use of mobile and IoT devices. Then there is the growing usage of RPA bots, which is making things even more complex. It is quite difficult to differentiate between a good bot and a bad bot.
So, all of these, coupled with the growing stringency of data privacy regulations, are making organisations look out for dependable and best-in-class technology providers who can protect their data, network, and resources from distinct types of attacks. Technology vendors and service providers are constantly innovating their solutions in response to what is happening. So, at Quadrant Knowledge Solutions, we extensively track the global cyber security market in terms of market and technology developments. What we are witnessing is that there is a lot of development happening in the sector. Hence, vendors are constantly striving to improve their technology offerings, be it through in-house research and development or mergers and acquisitions. There is increased adoption of emerging technologies like artificial intelligence, machine learning, advanced analytics, and RPA. So, our vendors are using this extensively and these technologies are becoming a driving force so that organisations can better monitor and protect their networks and resources, helping them advance their threat-hunting capabilities and prevent cyber-crimes. Another significant trend that we are observing is that of the zero-trust philosophy. We are currently seeing organizations worldwide because the data is so decentralized, be it due to cloud computing or BYOD policies. Hence, everyone is going for zero-trust security and zero-trust architecture, which will only ensure that verified users or devices will get access. We are also witnessing that vendors are investing heavily in managing and improving alert handling capabilities with automated remediation and responses. Then there are security automation orchestration capabilities with built-in security technologies. There are various threat intelligence service providers in the past where there was more focus on external security, but organisations are now focusing a lot on inside security as well. And there is specialised software which is there to manage privacy, like data masking tools, privacy management software, and built-in reporting tools, which are becoming a part of major security solutions to streamline global regulatory compliance.
COMBATING THREATS WITH SECURITY PRACTICES
The next question that comes up is what primary checklist and best practices should be suggested to an organization for combating the cyber security threats in this rapidly changing technology world and how can organizations rethink these security practices to push cyber security decision-making out to the business unit to improve their security framework?
From Kavitha’s industry perspective, emerging risks and vulnerabilities, the growing technologies we have seen, and the implementation or need for cyber security controls are significantly important. And, given the rate of technological advancement across countries, basic bare minimum security is required for an organization, which is mandated not only by regulators but also by government seniors. For example, in the US specifically, they are taking steps to request and demand organizations to have a cyber security program in place to oversee the organizational risks in overcoming the challenges of financial and reputational risks. Hence, businesses must focus on improving their cyber security posture and determining their level of preparedness for an attack. And for this, it is recommended to do an RCA or a self-assessment to ensure that you know how well they are compliant and if they have the preliminary necessities to safeguard their networks and conduct drills to identify any security weaknesses in their environment and eradicate the vulnerabilities. First, they must know that it is globally understood and accepted through this. They’ll have to create or launch cyber security awareness as one of their key priorities and one of their practices in the organisation because most of the cyber incidents that are occurring, especially nearly 60 to 65 per cent of them, are occurring due to the awareness issue. It might be an insider threat or an external influence awareness culture that has become one of the core reasons why an organisation has to undergo an incident or a ransomware attack. So, we must strengthen that employee awareness program and stick to having restricted access across all our employees.
INSIDER THREATS AND SECURITY
It is not like giving direct access will lead to a lot of insider threats where everyone is not aware of how to utilize the data and what to do with the data we are working on a day-to-day basis. Not only from insider threats but also external password weaknesses, people are very prone to cyber threats. We must ensure we are enabling multi-factor authentication to ensure there is multi-layer security for getting into any application or any system that we are working on a day-to-day basis. Access controls are one of the core elements where most cyber incidents occur nowadays. Another few best practices to be highlighted are establishing a process to take regular backups and doing patch updates on an ongoing basis; doing a redundancy program by doing simulations or drills to ensure we can safeguard our data as well as understand the amount of data loss that would occur when there is going to be an incident when it happens unexpectedly; So, we must perform continuous drills to understand how resilient we are in nature. This is a particularly important practice that an organization should build into their DNA just to ensure they are redundant and that would increase their business resilience. Another good practice that industries are striving for is having a pre-programmed or well-established process while relying on a third party.
Organizations are equipping their environments with security controls. They can do the ongoing drills like their internal reviews and compliance audits and all that. However, they fail to recognize that predators or cyber criminals do not only target or attempt to enter the network through their internal network but also third parties. So, we must always ensure whomever we are going to work with that their security measures are also part of the checklist in ensuring that our third parties or suppliers’ networks are equipped with the required security measures to safeguard our network. Another best practice would be to disable the pop-ups or harden the system to ensure there is no copy-paste. It is one of the prone weaknesses of the system, so we will have to enable hardening of the system to ensure no data is prone to data loss or data leakage. We also must have email communication that happens on a day-to-day basis. We will have to ensure there is data encryption that is enabled across the communication that happens across the tables. It might be through technologies that are developing, be it cryptography or using cypher technology to ensure the data is encrypted and it is completely protected when the data that is going to be shared is highly confidential and critical. We will have to use a data encryption methodology to safeguard our data. Another good practice that is highly recommended for an organisation is to be compliant.
CYBER SECURITY AS A CONTINUOUS LEARNING PROCESS
Even though it is difficult, we will have to adapt to ensure we are aligning with the data privacy and regulatory requirements. Those are especially important for organisations nowadays, depending on the kind of vulnerabilities that we are facing on a day-to-day basis. We will have to create data protection and a cyber policy within our network and ensure we are sticking to the methodology and adopting a security-based culture which will help us to be compliant. It will also give us an opportunity or a way to enhance the security measures that we are working on today. There are a lot of places where customers can buy all the tools they need on the market. Because anyway, they hear about this tool that helps with endpoint security or for stopping internal and external traffic from malicious codes. They keep buying the tools and not understanding how to utilize them and how to practice the security measures accordingly. So, it is not just buying the tool and keeping it aside that is going to stop us from being afraid of cyber-attacks, but continuous learning. Cyber security is not a formula, but an art. There is no right or wrong answer, and there is no set of security controls that we recommend. We recommend that if you impose these, you will be overcome by cyber-attacks. It is not a one-time solution but rather a journey.
There are a lot of security controls as the technology grows and the vulnerabilities accompany it. It is evolving day by day. Hence, we will have to stick to the growing technology and see that our objectives are met with the organizations’ policies and standards and that the execution of our processes is in line with the security controls and security regulations, standards, and privacy acts that have been released and have been practised at a geo-to-geo level. It is recommended to minimize the risk of a future security incident and safeguard the data we are utilizing across organizations. The data, especially in the BFSI or healthcare industries, is stored in a humongous manner, especially the personal data growing during this COVID period. The amount of data that is being stored by the customers is extremely high. So, as organizations, we must thoroughly study the subject, understand the security measures required for the organization and implement them to avoid any emerging risks that are developing in 2022. Data security is going to be an ongoing process which needs to be understood. We must adapt to the evolving trends and changes and align with the best industry standards to stay resilient in the future.
BATTLING INTERNAL & EXTERNAL THREATS
Divya agrees with Kavitha’s points that any organisation should look forward to while ensuring that they have good cyber security practices in place. When we talk to organisations, we see that everyone is very sure about maintaining and checking the hygiene factors for external threats. Even reputed organisations do slack when it comes to insider threats. The concept is becoming more popular, with organizations looking for tools and measures to combat insider threats. There is also something that will take care of the insider threats, and there are so many incidences of insider threats happening, be it because of awareness issues or any slacking system. Now we see that organisations are looking out for solutions that can help them ensure and safeguard their success on all these fronts.
PRIORITIES FOR ORGANIZATIONS AND EXECUTIVES GOING FORWARD
Kavitha was asked to shed her perspective on a question that was asked by Divya. She told her that the security and risk executives are at an overly critical juncture where the digital footprint of the organization is rapidly expanding and deeply embedded vulnerabilities have exposed technology gaps where there are human errors and skills shortages. So, what was her perspective on what should be the priorities for organisations and executives going forward?
She explains that as organizations expand across the globe, they want to develop their business and have particularly good customer satisfaction, which plays a key role in any business and across any verticals. From the board of directors to the management or the security team, there are four elements that they expect from the organization. The first is awareness — it is the fundamental element and the foundation for any organization. The organization or the board of directors is slowly coming towards or growing towards giving importance to or overseeing the kind of security controls that we are working on enabling to protect our business. A couple of years ago, the security team was always optional. They always said there are zero returns, so why invest in the security team for whatever requirements they come in for? Now the trend has changed, and directors are overseeing the importance of security and the need for implementing security controls in the environment, and they are recommending or supporting the security team for both. And secondly, we will have to work continuously on monitoring the system and enabling our infrastructure with the right set of security controls and ensure if any vulnerabilities come only by continuous scanning and managing the network because the vulnerabilities are not once a month or once a year – they keep evolving day by day. So, we will have to identify the risks and ensure that whatever risks that we have identified are mitigated on an ongoing basis and eradicate the critical and high vulnerabilities to avoid exploitation of data. For this, continuous security monitoring is recommended and wrapped vulnerability assessment and penetration testing for the critical application specifically to ensure no external threats are entering the environment. Finally, it is to reduce the dependency on suppliers. Suppliers’ dependency has grown day by day, and we are failing to understand how strong the security culture is on the third party’s environment while we are engaging with them. So, we must ensure that we are not only connected or looking at security in our atmosphere but also on the third-party site to ensure there are zero issues and attacks that we may have to expect that are unforeseen. As the trends are growing now, be it AIML or IOT or cloud security, different technologies are growing in the environment and there is always a mindset for teens and employees that as technology is growing, only the manual efforts are ending up in security flaws or any risks that we are facing. The technology will not stop the attacks, but it will help us optimize the effort. However, the cyber-attacks will not stop and have their level of contingencies or their level of threats in the respective environments, which we will have to understand and adapt to the security controls—that is the bare minimum needed to protect our environment while we are strengthening to develop our existing network.
A MESSAGE TO FRESHERS
In the end, Kavitha is asked what message she would like to give to the freshers who are entering the whole cybersecurity domain and how would she like to lead them towards a better experience in this whole area
“There are webinars conducted and there are people who speak at schools and colleges, building awareness and enabling that security culture at an early age itself. For all the strong young professionals, who have the intelligence and are smart to manage their situations, there is no stoppage from getting into the cyber security world. The opportunities are waiting, but as per the recent surveys and media, there will be a shortage of cybersecurity resources by 2025. We foresee ample opportunities that are available in the cyber security and data privacy areas and there is no limit for individuals at any point in time to sit, adapt and grow with the passion that they want to grow. If you fail to plan on what you want to become, then it will end up in a mess and we will be confused about what we need in the future.”
Divya ends her comments by adding two more points. She mentions that from a market and technology perspective, with so many cyber security threats that are going up in volume and with the stringent data privacy regulations, there is a lot of development that is happening in the market and organisations are looking out for better solutions to protect themselves from all these threats. From the younger generations’ side, there are a lot of dilemmas regarding so much technology coming, and with automation and artificial intelligence happening, there could be a lot of options left in the future. She concludes her thought by stating that technology will be an enabler, so whatever technology is developed, there will be more opportunities for everyone, and we simply need to reskin ourselves and learn more skills to be productive and helpful in the coming times.
Sayeri Roy is a Content Writer at Quadrant Knowledge Solutions